Recent Comments

Follow Me !

Category: InfoSec

Continuing his discussion on BYOD and its security implication , Panseh Tsewole looks at carrier level vulnerabilities in the BYOD ecosystem . Panseh Tsewole reckons this is an area typically not covered by Info Sec pros doing risk analysis on BYOD projects . Either at home or on the road , traffic reaching our enterprise networks travels through a provider’s infrastructure . In this write-up , Panseh Tsewole discusses some of the issues we should consider .

Transport layer vulnerabilities through Man In The Middle Attack can be used against the carrier’s network . MITM attack allows the attacker to sniff traffic and gain access to sensitive data . We should ensure the carrier is deploying SSL or https encryption at the transport level .

Rogue access points is a challenge . Numerous environments such as hotels, airports, coffee shops and some restaurants offer free Wi-FI . Attackers can use a variety of tools that can act as proxies and capture data that includes login credentials. SSL stripe is a tool that can be used to capture credentials from sites using https protocol. Panseh Tsewole recommends remote access policies should address these vulnerabilities. The policy should ensure all remote connections to the enterprise network should come in through secured SSL VPN connections. Panseh Tsewole has researched numerous SSL VPN solutions whereby the clients automatically initiate a connection to the enterprise network as soon as it detects internet connectivity outside of the LAN. Palo Alto’s network Global Protect is one such product.

Some BYODs use GSM technology to connect to carrier’s network. SIM cloning is a serious vulnerability with such devices. Cloning is basically creating a copy of the original SIM card . These tools are readily available on the internet. A service provider usually implements anti cloning technology on its network . Our job is to verify such counter measure is in place with the carriers being used by the BYODs on our networks.

Traditionally , the enterprise IT infrastructure team is used to manage all the OS in an enterprise . However, with the advent of BYOD , heterogeneous systems are introduced into the network . We know different mobile operating systems support different ways to manage device and application security . On Android , if we need to install an application we would have to give either all the permission to the list or cancel the install. Apple IOS based devices are different . We can choose not to give permission to a specific service and still install the application . The level of security can also be compromised if the device is jail broken and allows installation of applications from unrecognized application sources .

Mobile access to enterprise brings in its fold additional threats and vulnerabilities. These are three fold : the mobile devices , carriers and enterprise data centers . At the mobile device level , there are OS related vulnerabilities , data at rest vulnerabilities , mobile malware and device theft . Many OS vulnerabilities have led to the compromise of mobile devices . Android OS has been a target for malware writers and hackers for some time now and enterprises still do not prefer Android for the enterprise.

Some applications might store user credentials to applications such as Facebook locally on mobile device. Theft or unauthorized access can lead someone to steal that data . Data at rest vulnerability should be addressed by the application preferably through encryption.

In the first part of his discussion on BYOD , Panseh Tsewole takes a look at how we got here . Why is BYOD a hot topic at most enterprises . Panseh believes it is an important component of a successful information security program . He will devote the next few weeks blogging on this topic .

For a long time , organizations provided employees with company owned portable devices being it a laptop or a Blackberry device . Often , the employees were allowed to use these devices to check emails, store contact and downloading of rich applications wasn’t allowed . The last few years more powerful devices such as the IPhone , with rich features have been developed and heavily marketed to consumers . Employees have embraced these devices and prefer to use these devices they own , for work purpose.

Organizations for the most part has embraced employees using their own devices for work purpose . It makes business sense as it reduces capital expenditure on procuring these devices . However, allowing employees to bring in their own device is fraught with risk to an enterprise’s assets .

There are security , privacy and legal concerns to deal with . The questions to be considered include how much control would the enterprise exert over a BYOD ? What is the level of management being assigned to the BYOD ? How is a theft of BYOD going to be handled ? Is the enterprise going to allow its data to be stored on the BYOD ? Which BYOD are going to permitted access and how do we go about determining which to allow? How many BYOD per user would be allowed to connect to the network ? How are applications going to push the BYOD ? Can we restrict the user’s access to certain sites on their own device ? How far are we going to go support the BYODs ?

These are some of the questions that need to be answered prior to the introducing BYOD on an enterprise network .